What Is IAM?

This section provides an introduction to IAM.

AWS Identity and Access Management is a web service that enables Amazon Web Services (AWS) customers to manage
users and user permissions in AWS. The service is targeted at organizations with multiple
users or systems that use AWS products such as Amazon EC2, Amazon RDS, and the AWS Management Console. With
IAM, you can centrally manage users, security credentials such as access keys, and
permissions that control which AWS resources users can access.

Without IAM, organizations with multiple users and systems must
either create multiple AWS accounts, each with its own billing and subscriptions to AWS
products, or employees must all share the security credentials of a single AWS account. Also,
without IAM, you have no control over the tasks a particular user or system can do and
what AWS resources they might use.

IAM addresses this issue by enabling organizations to create multiple
users (each user is a person, system, or application) who can use AWS
products, each with individual security credentials, all controlled by and billed to a single
AWS account. With IAM, each user is allowed to do only what they
need to do as part of the user's job.

Video Introduction to IAM

In the following video you'll learn the basics of using IAM
to manage access to specific resources in your organization's AWS account. This video uses
the AWS Management Console to show you how to create groups of users, set permissions for each group,
generate a password, and use a sign-in URL to sign in to the console as an IAM user.

Pricing of IAM

AWS Identity and Access Management is a feature of your AWS account offered at no additional charge. You will be charged only for use of other AWS services by your IAM users. For information about the pricing of other AWS services, see the Amazon Web Services pricing page.

Features of IAM

IAM includes the following features:

Central control of users and security
credentials—You can control creation, rotation, and revocation of each
user's AWS security credentials (such as access keys)

Central control of user access—You can control
what data in the AWS system users can access and how they access it

Shared AWS resources—Users can share data for
collaborative projects

Permissions based on organizational groups—You
can restrict users' AWS access based on their job duties (for example, admin, developer,
etc.) or departments. When users move inside the organization, you can easily update their
AWS access to reflect the change in their role

Central control of AWS resources—Your
organization maintains central control of the AWS data the users create, with no breaks
in continuity or lost data as users move around within or leave the organization

Control over resource creation—You can help make
sure that users create AWS data only in sanctioned places

Networking controls—You can help make sure that
users can access AWS resources only from within the organization's corporate network,
using SSL

Supported AWS Products

The APIs for services do not change when they add support for IAM. Products that
integrate with IAM have no new API actions related to access control.

Migration to IAM

If your organization already uses AWS, migrating to IAM can be easy or potentially
more challenging, depending on how your organization currently allocates its AWS resources.
Here are the three scenarios.

Your organization has just a single AWS account. In
this case, you can easily migrate to using IAM, because all the organization's AWS
resources are already together under a single AWS account.

Your organization has multiple AWS accounts, with each AWS
account belonging to a division in the organization. If these divisions don't
need to share resources or users, then migrating is easy. Each division can keep its own
AWS account and use IAM separately from the other divisions. You could also use
Consolidated Billing, which would allow your organization to get a single bill across the
AWS accounts (see IAM and Consolidated Billing).

Your organization has multiple AWS accounts that don't
represent logical boundaries between divisions. If you need the AWS
accounts to share their resources and have common users, migrating to IAM will be
more of a challenge. You will need to move the resources that need to be shared so they're
under the ownership of a single AWS account. However, there's no automatic way to
transfer the AWS resources from one AWS account to another. You need to create those
resources again under the single AWS account.

No Change to Basic AWS Account Functions

There's no change to how an AWS account functions in terms of its login/password,
security credentials, payment method, AWS account activity page, usage report, and so on.
At this time, the AWS account activity page does not show a breakdown by user.

Security Credentials

Any person or application that interacts with AWS requires security
credentials. AWS uses these credentials to identify who is making the call and
whether to allow the requested access.

When you sign up for AWS, you sign up with an email address and
password. Using these credentials, you can get full access to all resources in your AWS
account. Because you can't control access on account credentials,
AWS recommends that you use IAM credentials for day-to-day interaction with
AWS. We recommend that you lock away the credentials that you used for setting up
the account. As soon as you've created your account, set up an administrators group for your
organization, create IAM users (including one for yourself), add them to the administrators
group, and then give them privileges to administer your AWS resources. For more information,
see IAM Best Practices.

Note

To help control who has access to the AWS account's credentials, AWS recommends that
you use multi-factor authentication (MFA) with your AWS account's email address and
password. For detailed information about AWS MFA, see the AWS Multi-Factor Authentication
FAQs.

With IAM, you can control who can access which resources. For example, you can create
individual users and give them each their own user name, password, and access keys. After you
create your users, you can assign them different permissions to control which resources they
can access. For more information, see IAM Users and Groups.

For security purposes, we recommend that you rotate your users' credentials on a
regular basis. A user can have multiple access keys at a given time for this
purpose. For more information, see Rotating Credentials.

IAM and Consolidated Billing

AWS offers a billing feature called Consolidated Billing. This lets
you receive a single bill for multiple AWS accounts. (For more information, see Consolidated Billing in
AWS Billing and Cost Management User Guide.) In contrast, IAM lets you get a single bill
across all the users in a single AWS account.

Your organization can use Consolidated Billing and IAM together. You might do this
if your organization has multiple large divisions, and you want to isolate the users and AWS
resources in each division from the other divisions. You could have a separate AWS account
for each division, and use IAM in each division to create users and control their access
to the division's AWS resources. You could then use Consolidated Billing to get a single
bill across all the AWS accounts. The following diagram illustrates the concept.

With Consolidated Billing, one AWS account becomes the paying
account, and pays for its own charges plus the charges of any linked
AWS accounts. Each linked AWS account doesn't need to maintain a payment
method with AWS, only the paying account does. Each month, AWS charges the paying account
only. The paying account still functions like a normal AWS account; it could have its own
users and AWS resources. Just as with the other AWS accounts, the users and resources in
the paying account are isolated from the users and resources in the divisions' AWS accounts.
The following diagram shows the paying account with its own users and AWS resources.